Subject: Draft minutes for 14-Feb-2006 SSTC con-call, with attendance
> 1. Roll Call Attendance of Voting Members Steve Anderson BMC Software Sharon Boeyen Entrust Brian Campbell Ping Identity Scott Cantor Internet2 Guy Denton IBM Heather Hinton IBM Frederick Hirsch Nokia Jeff Hodges NeuStar John Hughes Individual Dana Kaufman Forum Systems Ari Kermaier Oracle Hal Lockhart BEA Systems, Inc Paul Madsen NTT Corporation Eve Maler Sun Microsystems Prateek Mishra Oracle Jahan Moreh Sigaba Bob Morgan Internet2 Anthony Nadalin IBM Ashish Patel France Telecom Nick Ragouzis Enosis Group Greg Whitehead Hewlett-Packard Company Thomas Wisniewski Entrust Attendance of Non-Voting Members Bhavna Bhatnagar Sun Microsystems Vamsi Motukuru Oracle Membership Status Changes Marie Henderson NZ State Services Commission - Requested and was granted membership 2/2/2006 Bill Young NZ State Svcs Commission - Requested and was granted membership 2/2/2006 Bhavna Bhatnagar Sun Microsystems - Granted voting status after 2/14/2006 call Mike Beach The Boeing Company - Lost voting status after 2/14/2006 call Peter Davis NeuStar - Lost voting status after 2/14/2006 call Cameron Morris Novell - Lost voting status after 2/14/2006 call > 2. > Approve minutes from 31-Jan con-call > http://www.oasis-open.org/archives/security-services/200601/msg00061.html APPROVED by unanimous consent. > 3. > FYI: Announcing the March Liberty AllianceInteroperability Conformance Event > http://www.oasis-open.org/archives/security-services/200602/msg00011.html This is just an FYI. New administrative agenda item: consideration of the XACML TC's "SAML profile of XACML": http://lists.oasis-open.org/archives/security-services-comment/200602/msg00000.html Eve moved and Hal seconded that we include a (non-endorsing) link to this material on our website. APPROVED by unanimous consent. AI: Eve to add a link for the SAML V2.0 profile of XACML V2.0 to the SSTC website's courtesy-links section. > 4. > Rob Philpot steps down as Chair after 3+ years > http://www.oasis-open.org/archives/security-services/200602/msg00030.html > > (a) Rob cannot attend today but will join us for the meeting on the 28th > > (b) Motion: Thank Rob for his leadership of the TC and work on specifications; > includes SAML 1.1 thru SAML 2.0 and several recent drafts. Eve moved and both Hal and Jeff seconded :-) . APPROVED by unanimous consent. Thanks, Rob, for all your contributions and hard work! > (c) Schedule election for new Co-Chair on the 28th. Please nominate yourself if > interested. > > TC process link: http://www.oasis-open.org/committees/process.php#2.7 Voting members: take note and be sure to attend the meeting on February 28 for this. Nominations may be made by email (preferred) or on the next call. > 5. > Vote on initiating public review of CDs (Full Majority Vote) Some editorial work has been requested on one of these drafts. If they don't change the semantics materially, it could be appropriate to go ahead and conduct our public-review vote. Ashish: Notes that Paul Madsen recently asked a question about bundling of current vs. future extensions. Scott: However, this particular draft, the protocol extensions document, is not up for a public-review vote. Paul's message: http://lists.oasis-open.org/archives/security-services/200602/msg00027.html Scott: Moves to put all four of the (below-listed: 5a-d) CDs into public review. Greg seconds. (But see below for a change to the motion.) Hal: Are the drafts in question scheduled for revision in the near future? Scott: Other than Rob's commentary, which could be construed as public-review-type comments, no. The docs have not changed since officially published as CDs. There is a question surrounding namespaces (single or per-extension), which relates to Ashish's point and could affect the metadata extension document (5c below) in minor fashion -- involving namespace changes. Eve: Do we want to delay two weeks while we decide this? Scott: Let's discuss today, but not hold up the public-review vote. Deciding this issue will help us know how to go forward with extensions in general. Jeff: Would like to document the methodology and have that be unchanging. Scott: But each schema would want to change along with the namespace. Having a general policy is good, though. Jeff: Cares mostly about the protocol extensions document (6 below; not up for public-review voting). Greg: If the protocol extension were in the original core spec, the namespace would be fairly general. Scott: Notices that the metadata extensions document is badly off when it comes to managing this issue, so he'd like to pull it out of consideration for public review (modifying the motion) so it can be fixed. Modified motion: Put *three* of the documents into public review (5a, 5b, 5d). APPROVED by unanimous consent. > a. > Committee Draft of SAML Attribute Sharing Profile for X.509 Authentication-Based Systems > http://www.oasis-open.org/committees/download.php/14006/sstc-saml-x509-authn-attrib-profile-cd-01.pdf To be put into public review (see above). > b. > Committee Draft of SAML XPath Attribute Profile (HTML version also available; accompanying schema) > http://www.oasis-open.org/committees/download.php/16112/sstc-saml-xpath-attribute-profile-cd-01.pdf > Schema: http://www.oasis-open.org/committees/download.php/14194/draft-saml-schema-xpath-attribute-profile-1.xsd To be put into public review (see above). > c. > Committee Draft of SAML Metadata Extension for a Standalone Attribute Requester > http://www.oasis-open.org/committees/download.php/13845/sstc-saml-metadata-ext-cd-01.pdf > Schema: http://www.oasis-open.org/committees/download.php/13846/sstc-saml-metadata-ext.xsd Scott would like to revise this before proposing it for public review (see above). > d. > Committee Draft of SAML V1.x Metadata Profile > http://www.oasis-open.org/committees/download.php/13254/sstc-saml1x-metadata-cd-01.pdf > Schema: http://www.oasis-open.org/committees/download.php/13255/sstc-saml1x-metadata.xsd To be put into public review (see above). > 6. > New/Updated drafts published to SSTC > http://www.oasis-open.org/apps/org/workgroup/security/download.php/16632/draft-saml-protocol-ext-02.pdf (See above for additional discussion about namespace selection for this document.) Prateek: Is the idea to have a core namespace for all extensions? Jeff: Yes, if the extensions come from this TC. The idea is for it to be less work to do more extensions. Greg: Is ambivalent. Might it be easier to have separate documents? Jeff: We don't have a clear procedure for superseding prior documents. Eve: Concerned about creating a namespacing framework that's too heavyweight. Scott: Has decided there's likely more pain in doing a single document. The only cost to implementing the "multiple namespaces" approach is that the metadata extension document we already produced will probably need a namespace change, so he'll have to produce a new draft and we'll have to do a new CD vote for it. AI: Scott to submit new drafts of the metadata extension document and the protocol extension document (may require breaking up the latter into multiple documents) for consideration as CDs. AI: Prateek to get OASIS processes in the works to start public review of the X.509 Attribute CD, the XPath Attribute CD, and the SAML V1.1 Metadata Profile CD. > 7. > Recent Threads > > a.* ECP profile question* > http://www.oasis-open.org/archives/security-services/200602/msg00002.html Brian: His original proposal for a fix was improved upon by Thomas: http://lists.oasis-open.org/archives/security-services/200602/msg00009.html Jahan: He reopened PE 35 and captured the discussion and the latest proposal from Thomas. Scott: The "relative URL" bit comes from the PAOS spec, and he's not crazy about it since it requires the client to be responsible for expanding the URL. Brian (?): We shouldn't be promoting non-ideal examples, since people use those as implementation guides. Scott: Let's not list a relative URL. Prateek: Can we do a hard restriction against relative URIs? Scott: If we make this a SHOULD NOT, it doesn't help implementors much, but at least we avoid a new version of the profile. At least the example shouldn't show the non-desired behavior. Eve: Let's at least do the soft restriction and fix the example for now, since this can be an erratum. AI: Brian to write up a new PE35 proposal, adding a soft restriction on relative URLs and changing the example to match. > b. *Revised encryption guidelines text* > http://www.oasis-open.org/archives/security-services/200602/msg00020.html This is PE43. Scott: He has prepared what is mostly a wholesale replacement of the encryption section. The use cases have been made consistent, so as not to confuse people. Both forwards and backwards references (data to key, key to data) are SHOULDs. Heather: This is looking good; an improvement on her original text. Scott: People should review the new text! And it needs to be run against a validator. Eve: How easy would it be to produce a red-line version? Scott: A wholesale change indicating lines xxx-yyy would be most appropriate. Prateek: We will vote on this change next time. AI: Heather will attempt to validate the schema changes before next week. (This is a continuation of AI #0250; see below.) > c. Question about shared credential use-case > http://www.oasis-open.org/archives/security-services/200602/msg00001.html This remains open. > d. *AuthnContext comparison clarifications* > http://www.oasis-open.org/archives/security-services/200602/msg00024.html There is no current PE for this. Scott: He took an AI a long time ago to look into potential improvements. He has come up with a candidate paragraph that explains what we meant regarding individual authentication contexts (vs. some kind of precedence order of the input). AI: Jahan to create a new PE with Scott's suggestion. > 8. > Errata Review > http://www.oasis-open.org/apps/org/workgroup/security/download.php/16655/sstc-saml-errata-2.0-draft-23.pdf PE10: Jahan: He had an AI to propose text (see line 283 in Errata rev 23). Jahan: Moves to accept his proposed text. Eve seconds. ACCEPTED by unanimous consent. PE10 is now closed and approved. PE23: Still open. PE35: Just discussed. PE43: Just discussed. New PE44: This is about "constrained delegation", but we want to rename it. Scott will propose something. > 9. > Open AIs > > #0251: Comment on Shared credential draft document > Owner: Hal Lockhart > Status: Open > Assigned: 2006-02-13 > Due: --- Closed. Hal sent a comment recently: http://lists.oasis-open.org/archives/security-services/200602/msg00033.html > #0250: PE 43 > Owner: Heather Hinton > Status: Open > Assigned: 2006-02-13 > Due: --- This one is still open pending the validation activity Heather promised above. > #0249: Open an erratum place holder for Constrained Delegation > Owner: Jahan Moreh > Status: Open > Assigned: 2006-02-13 > Due: --- Closed; this is PE44. > #0248: Provide draft of IBM's SAML 2.0 research report > Owner: Anthony Nadalin > Status: Open > Assigned: 2006-02-13 > Due: --- Still open. > #0247: As per 17-Jan call: Prateek has received some feedback on the constrained delegation profile and will produce a revision next week. > Owner: Prateek Mishra > Status: Open > Assigned: 2006-01-30 > Due: --- Closed; Prateek and Scott have agreed on a slightly different approach. > #0246: Jahan to revise the PE 10 wording proposal "clarifying that anyURI is indeed the right interpretation" for the Reason attribute. > Owner: Jahan Moreh > Status: Open > Assigned: 2006-01-30 > Due: --- Closed; PE10 closed today. > #0245: Per 17-Jan con-call: Greg W. to propose some clarifying text for the attribute profile section re: the issues discussed on the call. > Owner: Greg Whitehead > Status: Open > Assigned: 2006-01-30 > Due: --- Still open. Greg: He has no recollection of this! Will figure it out. > #0243: Clean up text in Section 184.108.40.206.1 (RequestedAuthNContext) > Owner: Scott Cantor > Status: Open > Assigned: 2006-01-17 > Due: --- Closed; discussed above. > #0242: Recommended text for SAML Attr Sharing Profile > Owner: Rob Philpott > Status: Open > Assigned: 2006-01-17 > Due: --- Still open. > #0240: Status of SAML 2.0 submission to ITU T > Owner: Olivier Dubuisson > Status: Open > Assigned: 2005-11-07 > Due: --- Still open. Hal: Abbie should be our main contact. The process is proceeding -- it's the "mulling" period. :-) > #0238: Plan for red-line versions of SAML 2.0 > Owner: Eve Maler > Status: Open > Assigned: 2005-11-07 > Due: --- Still open. > #0234: Nick to prepare some text for PE 23. > Owner: Nick Ragouzis* > Status: Open > Assigned: 2005-10-10 > Due: --- Still open; discussed above. > #0230: SAML Conformance SSL/TLS requirements > Owner: Eric Tiffany > Status: Open > Assigned: 2005-09-12 > Due: --- Still open. > #0180: Need to update SAML server trust document > Owner: Status: Open > Assigned: 2004-07-12 > Due: --- Closed with no action. Scott: No one has been clamoring for it, and if we did work on it, it would contribute to an implementor's guide more than anything. - AOB: Hal: Notes that Jahan will be speaking at RSA on SAML, and Hal will be following with an XACML talk. RLBob: He's speaking Thursday on UI issues, with a SAML connection. Late arrivers: Jahan. Adjourned. -- Eve Maler +1 425 947 4522 Technology Director eve.maler @ sun.com CTO Business Alliances group Sun Microsystems, Inc.